1
0
-1

HI,

I'm trying to set a CSP for our site, but it seems that the Forms Content Security Policy (CSP) > Organisation CSP Header can only accept a maximum of 1,000 characters. I expect this may be a TM database constraint, rather than a web/http header constraint.

We have a number of domains that we need to white list for things like analytics, web optimization and others, however the list exceeds 1,000 characters.

Is there a limit to the number of characters allowed in the CSP Header?


Thanks

Mark

    CommentAdd your comment...

    2 answers

    1.  
      1
      0
      -1

      Hi Mark,

      You have that config in TM: Forms/Organizations , select the organization to modify, tab  Security: Forms Content Security Policy (CSP)

      You can select override policy and add your constraints.


      Kind regards,

      Julio.

      1. Mark Murray

        Hi Julio,

        thanks for the comment.

        I am familiar with the CSP settings, but I had a situation where I had to add more domains to the existing list. When I tried to add the extra domains not all the text was accepted in the field.

        The list I had was greater than 1,000 characters, and the last few characters were truncated, so the CSP policy was not valid.

        I did find a way to decrease the size of the domain list (by using sub domains wildcard), so that the text was less then 1,000 characters, and so I managed to get a valid policy loaded.


        Thanks

        Mark

      2. Julio Berrueco

        Hi Mark, sorry, my bad,I misunderstood the question.That's the best practice.

      CommentAdd your comment...
    2.  
      2
      1
      0

      Hi,

      I found a way to more efficiently list some of the allowed domains.

      To handle sub domains you can use wildcards, like *.goggle.com, instead of listing each sub domain explicitly.

      But I'm still interested to know if there is a TM limit.


      Hope that helps some one out there.

      Thanks

      Mark

      1. Christopher Eagar

        Good work Mark, thanks for sharing that.

      CommentAdd your comment...